Search code examples
c#asp.netwebformsxsspenetration-testing

Request.PathInfo issues and XSS attacks

I have a couple of websites running on .NET 3.5 still due to an API restriction. We will eventually move these sites to the latest .NET version this year. One of the penetration tests indicated a possible XSS vulnerability. The URL in question is:

Location: http://www.foobar.com/basket.aspx/scripts/searchresults.aspx

Method: GET

Vulnerable Parameter: name of an arbitrarily supplied URL parameter

Basically, anything after basket.aspx like scripts/searchresults.aspx will cause the issue. From what I can determine, Request.PathInfo will try to find the path and eventually reach searchresults.aspx (if the .aspx page exists) but all my CSS and scripts can't be found due to relative paths. The page essentially breaks. It's unclear how this could cause an XSS vulnerability. Nevertheless, it does break the page.

My question: Is Request.PathInfo needed? In my preliminary tests, if I check Request.PathInfo, I can determine that it may be a bad URL request:

FooBar.Global pageObj = obj;

if (obj.Request.PathInfo.Length > 0)
{
   Response.Redirect("~/sitemap.aspx", true); // bad url send to site map
}
Solution

  • Is Request.PathInfo needed?

    PathInfo isn't required by ASP.NET WebForms. It can be helpful for search engine optimization, but if you don't use it, go ahead and disable it. You can add your code snippet, or you can install UrlScan and set the AllowDotInPath option to 0.

    How could this cause an XSS vulnerability?

    Your page may be vulnerable to a Relative Path Overwrite (RPO) attack if all these criteria are met:

    1. An attacker can inject content (for example, a blog comment) somewhere into the page.
    2. Your page references a CSS stylesheet via a relative path.
    3. PathInfo is enabled.

    By appending PathInfo to the URL, an attacker can cause your page to load itself as the stylesheet because ASP.NET resolves Page.aspx/Master.css to just Page.aspx, not to Master.css. Due to the lax (by design) parsing rules for CSS, the attacker's content may be interpreted as valid CSS, which is especially bad for old versions of Internet Explorer that allow JavaScript in CSS. Even in modern browsers, a malicious stylesheet can inject content that misleads other users.

    I want to use PathInfo. How can I mitigate this vulnerability?

    Use absolute paths to reference all CSS stylesheets. For example, you can call the ResolveUrl method with an app-relative path (a virtual path starting with ~/):

    <link href='<%= this.ResolveUrl("~/App_Themes/MySite/Master.css") %>' rel="stylesheet" type="text/css" />

    Caution: Don't use the ResolveClientUrl method because it returns a relative path.